madler/zlib

GitHub

github.com

zlib.net

Releases78

Frequency2 months 1 week

Last Release 4 months ago

Stars6.9K

A massively spiffy yet delicately unobtrusive compression library.

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2026-3381 ↗	Mar 5, 2026Thursday, 5 March 2026, 02:16	9.8 CRITICAL	—
Compress::Raw::Zlib versions through 2.219 for Perl use potentially insecure versions of zlib. Compress::Raw::Zlib includes a copy of the zlib library. Compress::Raw::Zlib version 2.220 includes zlib 1.3.2, which addresses findings fron the 7ASecurity audit of zlib. The includes fixs for CVE-2026-27171.
CVE-2026-27171 ↗	Feb 18, 2026Wednesday, 18 February 2026, 04:16	2.9 LOW	—
zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition.
CVE-2026-22184 ↗	Jan 7, 2026Wednesday, 7 January 2026, 21:16	7.8 HIGH	—
zlib versions up to and including 1.3.1.2 include a global buffer overflow in the untgz utility located under contrib/untgz. The vulnerability is limited to the standalone demonstration utility and does not affect the core zlib compression library. The flaw occurs when a user executes the untgz command with an excessively long archive name supplied via the command line, leading to an out-of-bounds write in a fixed-size global buffer.
CVE-2023-45853 ↗	Oct 14, 2023Saturday, 14 October 2023, 02:15	9.8 CRITICAL	—
MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.
CVE-2022-37434 ↗	Aug 5, 2022Friday, 5 August 2022, 07:15	9.8 CRITICAL	—
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
CVE-2018-25032 ↗	Mar 25, 2022Friday, 25 March 2022, 09:15	7.5 HIGH	5 MEDIUM
zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
CVE-2016-9840 ↗	May 23, 2017Tuesday, 23 May 2017, 04:29	8.8 HIGH	6.8 MEDIUM
inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.
CVE-2016-9841 ↗	May 23, 2017Tuesday, 23 May 2017, 04:29	9.8 CRITICAL	7.5 HIGH
inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.
CVE-2016-9842 ↗	May 23, 2017Tuesday, 23 May 2017, 04:29	8.8 HIGH	6.8 MEDIUM
The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.
CVE-2016-9843 ↗	May 23, 2017Tuesday, 23 May 2017, 04:29	9.8 CRITICAL	7.5 HIGH
The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.